difftreelog
feat reencrypt secret on remote server
in: trunk
8 files changed
cmds/fleet/src/cmds/info.rsdiffbeforeafterboth--- a/cmds/fleet/src/cmds/info.rs
+++ b/cmds/fleet/src/cmds/info.rs
@@ -1,15 +1,8 @@
-use std::{collections::BTreeSet, time::Duration};
+use std::collections::BTreeSet;
-use crate::{command::CommandExt, host::Config};
-use anyhow::{bail, ensure, Result};
+use crate::host::Config;
+use anyhow::{ensure, Result};
use clap::Parser;
-use nixlike::format_nix;
-use serde_json::{json, Value};
-use tokio::{
- fs::{self, File},
- io::AsyncWriteExt,
- process::Command,
-};
#[derive(Parser)]
pub struct Info {
cmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth12 iter,12 iter,13 path::PathBuf,13 path::PathBuf,14};14};15use tokio::fs::read_to_string;15use tracing::{info, warn};16use tracing::{info, warn};161717#[derive(Parser)]18#[derive(Parser)]50 Read {51 Read {51 name: String,52 name: String,52 machine: String,53 machine: String,54 #[clap(long)]55 plaintext: bool,53 },56 },54 UpdateShared {57 UpdateShared {55 name: String,58 name: String,565960 #[clap(long)]57 machines: Option<Vec<String>>,61 machines: Option<Vec<String>>,586263 #[clap(long)]59 add_machines: Vec<String>,64 add_machines: Vec<String>,65 #[clap(long)]60 remove_machines: Vec<String>,66 remove_machines: Vec<String>,616762 /// Which host should we use to decrypt68 /// Which host should we use to decrypt69 #[clap(long)]63 prefer_identities: Vec<String>,70 prefer_identities: Vec<String>,64 },71 },65 Regenerate,72 Regenerate {73 /// Which host should we use to decrypt, in case if reencryption is required, without74 /// regeneration75 #[clap(long)]76 prefer_identities: Vec<String>,77 },66}78}677968impl Secrets {80impl Secrets {110 }122 }111 };123 };112124113 let mut data = config.data_mut();125 if config.has_shared(&name) && !force {114 if data.shared_secrets.contains_key(&name) && !force {115 bail!("secret already defined");126 bail!("secret already defined");116 }127 }117 data.shared_secrets.insert(128 config.replace_shared(118 name,129 name,119 FleetSharedSecret {130 FleetSharedSecret {120 owners: machines,131 owners: machines,123 secret,134 secret,124 public: match (public, public_file) {135 public: match (public, public_file) {125 (Some(v), None) => Some(v),136 (Some(v), None) => Some(v),126 (None, Some(v)) => Some(std::fs::read_to_string(v)?),137 (None, Some(v)) => Some(read_to_string(v).await?),127 (Some(_), Some(_)) => {138 (Some(_), Some(_)) => {128 bail!("only public or public_file should be set")139 bail!("only public or public_file should be set")129 }140 }159 encrypted170 encrypted160 };171 };161172162 let mut data = config.data_mut();173 if config.has_secret(&machine, &name) && !force {163 let host_secrets = data.host_secrets.entry(machine).or_default();164 if host_secrets.contains_key(&name) && !force {165 bail!("secret already defined");174 bail!("secret already defined");166 }175 }167 host_secrets.insert(176 config.insert_secret(177 &machine,168 name,178 name,169 FleetSecret {179 FleetSecret {170 expire_at: None,180 expire_at: None,180 }190 }181 // TODO: Instead of using sudo, decode secret on remote machine191 // TODO: Instead of using sudo, decode secret on remote machine182 #[allow(clippy::await_holding_refcell_ref)]192 #[allow(clippy::await_holding_refcell_ref)]183 Secrets::Read { name, machine } => {193 Secrets::Read {194 name,184 let data = config.data();195 machine,185186 let Some(host_secrets) = data.host_secrets.get(&machine) else {196 plaintext,187 bail!("no secrets for machine {machine}");197 } => {188 };189 let Some(secret) = host_secrets.get(&name) else {198 let secret = config.host_secret(&machine, &name)?;190 bail!("machine {machine} has no secret {name}");191 };192 if secret.secret.is_empty() {199 if secret.secret.is_empty() {193 bail!("no secret {name}");200 bail!("no secret {name}");194 }201 }195 let identity = config.identity(&machine).await?;202 let data = config.decrypt_on_host(&machine, secret.secret).await?;196 let decryptor = Decryptor::new(Cursor::new(&secret.secret))?;197 let decryptor = match decryptor {203 if plaintext {198 Decryptor::Recipients(r) => r,204 let s = String::from_utf8(data).context("output is not utf8")?;199 Decryptor::Passphrase(_) => bail!("should be recipients"),200 };201 let mut decryptor = decryptor202 .decrypt(iter::once(&identity as &dyn age::Identity))203 .context("failed to decrypt, wrong key?")?;204205 let mut decrypted = Vec::new();205 print!("{s}");206 decryptor206 } else {207 .read_to_end(&mut decrypted)208 .context("failed to decrypt")?;207 println!("{}", z85::encode(&data));209 // secret.secret208 }210 std::io::stdout().lock().write_all(&decrypted)?;211 }209 }212 Secrets::UpdateShared {210 Secrets::UpdateShared {213 name,211 name,216 mut remove_machines,214 mut remove_machines,217 prefer_identities,215 prefer_identities,218 } => {216 } => {219 let mut data = config.data_mut();220 if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {217 if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {221 bail!("no operation");218 bail!("no operation");222 }219 }223220224 let Some(mut secret) = data.shared_secrets.get_mut(&name) else {221 let mut secret = config.shared_secret(&name)?;225 bail!("no shared secret {name}");226 };227 if secret.secret.secret.is_empty() {222 if secret.secret.secret.is_empty() {228 bail!("no secret");223 bail!("no secret");229 }224 }230225231 let initial_machines = secret.owners.clone();226 let initial_machines = secret.owners.clone();232 let mut target_machines = secret.owners.clone();227 let mut target_machines = secret.owners.clone();228 info!("Currently encrypted for {initial_machines:?}");233229234 // ensure!(machines.is_some() || !add_machines.is_empty() || )230 // ensure!(machines.is_some() || !add_machines.is_empty() || )235 if let Some(machines) = machines {231 if let Some(machines) = machines {254 removed = true;250 removed = true;255 }251 }256 if !removed {252 if !removed {257 bail!("secret is not enabled for {machine}");253 warn!("secret is not enabled for {machine}");258 }254 }259 }255 }260 for machine in &add_machines {256 for machine in &add_machines {261 if target_machines.iter().any(|m| m == machine) {257 if target_machines.iter().any(|m| m == machine) {262 warn!("secret is already added to {machine}");258 warn!("secret is already added to {machine}");259 } else {260 target_machines.push(machine.to_owned());263 }261 }264 }262 }265 if remove_machines.is_empty() {263 if !remove_machines.is_empty() {266 warn!("secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret");264 warn!("secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret");267 }265 }266268 if target_machines.is_empty() {267 if target_machines.is_empty() {269 info!("no machines left for secret, removing it");268 info!("no machines left for secret, removing it");270 data.shared_secrets.remove(&name);269 config.remove_shared(&name);271 return Ok(());270 return Ok(());272 }271 }273272273 if target_machines == initial_machines {274 warn!("secret owners are already correct");275 return Ok(());276 }277274 let identity_holder = if !prefer_identities.is_empty() {278 let identity_holder = if !prefer_identities.is_empty() {275 prefer_identities279 prefer_identities276 .iter()280 .iter()282 bail!("no available holder found");286 bail!("no available holder found");283 };287 };284 let target_recipients = futures::stream::iter(&target_machines)288 let target_recipients = futures::stream::iter(&target_machines)285 .flat_map(|m| futures::stream::once(config.recipient(m)))289 .then(|m| async { config.key(m).await })286 .collect::<Vec<_>>()290 .collect::<Vec<_>>()287 .await291 .await;288 .into_iter()292 let target_recipients =289 .map(|v| v.map(|v| Box::new(v) as Box<dyn age::Recipient + Send>))293 target_recipients.into_iter().collect::<Result<Vec<_>>>()?;290 .collect::<Result<Vec<_>>>()?;291294292 let identity = config.identity(identity_holder).await?;295 let encrypted = config293 let decryptor = Decryptor::new(Cursor::new(&secret.secret.secret))?;296 .reencrypt_on_host(&identity_holder, secret.secret.secret, target_recipients)294 let decryptor = match decryptor {295 Decryptor::Recipients(r) => r,296 Decryptor::Passphrase(_) => bail!("should be recipients"),297 };297 .await?;298 let mut decryptor = decryptor299 .decrypt(iter::once(&identity as &dyn age::Identity))300 .context("failed to decrypt, wrong key?")?;301298302 let mut decrypted = Vec::new();299 secret.owners = target_machines;303 decryptor304 .read_to_end(&mut decrypted)305 .context("failed to decrypt")?;306307 let mut encrypted = vec![];308 let mut encryptor = Encryptor::with_recipients(target_recipients)309 .expect("recipients provided")310 .wrap_output(&mut encrypted)?;311 io::copy(&mut Cursor::new(decrypted), &mut encryptor)?;312 encryptor.finish()?;313314 secret.secret.secret = encrypted;300 secret.secret.secret = encrypted;301 config.replace_shared(name, secret);315 }302 }316 Secrets::Regenerate => {303 Secrets::Regenerate { prefer_identities } => {317 // config.data_mut().shared_secrets318 {304 {319 let expected_shared_set =305 let expected_shared_set =320 config.shared_config_attr_names("sharedSecrets").await?;306 config.shared_config_attr_names("sharedSecrets").await?;321 let expected_shared_set = expected_shared_set.iter().collect::<HashSet<_>>();307 let expected_shared_set = expected_shared_set.iter().collect::<HashSet<_>>();322 let shared_set = config.data();308 let shared_set = config.list_shared();323 let shared_set = shared_set.shared_secrets.keys().collect::<HashSet<_>>();309 let shared_set = shared_set.iter().collect::<HashSet<_>>();324 for removed in expected_shared_set.difference(&shared_set) {310 for removed in expected_shared_set.difference(&shared_set) {325 warn!("secret needs to be generated: {removed}")311 warn!("secret needs to be generated: {removed}")326 }312 }327 }313 }328 let mut to_remove = Vec::new();314 let mut to_remove = Vec::new();329 for (name, data) in &config.data().shared_secrets {315 for name in &config.list_shared() {316 let mut data = config.shared_secret(name)?;330 let expected_owners: Vec<String> = config317 let expected_owners: Vec<String> = config331 .shared_config_attr(&format!("sharedSecrets.\"{name}\".expectedOwners"))318 .shared_config_attr(&format!("sharedSecrets.\"{name}\".expectedOwners"))332 .await?;319 .await?;337 }324 }338 let set = data.owners.iter().collect::<HashSet<_>>();325 let set = data.owners.iter().collect::<HashSet<_>>();339 let expected_set = expected_owners.iter().collect::<HashSet<_>>();326 let expected_set = expected_owners.iter().collect::<HashSet<_>>();327 let should_remove = set.difference(&expected_set).next().is_some();340 if set != expected_set {328 if set != expected_set {341 warn!("reconfiguring owners for {name}");329 warn!("reconfiguring owners for {name}");330 let generator: Option<String> = config331 .shared_config_attr(&format!("sharedSecrets.\"{name}\".generator"))332 .await?;333 // TODO: if !.owner_dependent334 if let Some(str) = generator {335 todo!("regenerate")336 } else {337 if should_remove {338 warn!("secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret");339 }340341 let identity_holder = if !prefer_identities.is_empty() {342 prefer_identities343 .iter()344 .find(|i| data.owners.iter().any(|s| s == *i))345 } else {346 data.owners.first()347 };348 let Some(identity_holder) = identity_holder else {349 bail!("no available holder found");350 };351352 let target_recipients = futures::stream::iter(&expected_owners)353 .then(|m| async { config.key(m).await })354 .collect::<Vec<_>>()355 .await;356 let target_recipients =357 target_recipients.into_iter().collect::<Result<Vec<_>>>()?;358359 let encrypted = config360 .reencrypt_on_host(361 &identity_holder,362 data.secret.secret,363 target_recipients,364 )365 .await?;366367 data.secret.secret = encrypted;368 data.owners = expected_owners;369 config.replace_shared(name.to_owned(), data);370 }342 }371 }343 }372 }344 for k in to_remove {373 for k in to_remove {345 config.data_mut().shared_secrets.remove(&k);374 config.remove_shared(&k);346 }375 }347 }376 }348 }377 }cmds/fleet/src/fleetdata.rsdiffbeforeafterboth--- a/cmds/fleet/src/fleetdata.rs
+++ b/cmds/fleet/src/fleetdata.rs
@@ -1,8 +1,7 @@
-use anyhow::{bail, Result};
+use anyhow::Result;
use chrono::{DateTime, Utc};
use nixlike::format_nix;
use serde::{Deserialize, Deserializer, Serialize, Serializer};
-use serde_json::{json, Value};
use std::collections::BTreeMap;
use tempfile::TempDir;
use tokio::{
@@ -11,8 +10,6 @@
process::Command,
};
-use crate::command::CommandExt;
-
#[derive(Serialize, Deserialize, Default)]
#[serde(rename_all = "camelCase")]
pub struct HostData {
@@ -34,16 +31,18 @@
pub host_secrets: BTreeMap<String, BTreeMap<String, FleetSecret>>,
}
-#[derive(Serialize, Deserialize)]
+#[derive(Serialize, Deserialize, Clone)]
#[serde(rename_all = "camelCase")]
+#[must_use]
pub struct FleetSharedSecret {
pub owners: Vec<String>,
#[serde(flatten)]
pub secret: FleetSecret,
}
-#[derive(Serialize, Deserialize)]
+#[derive(Serialize, Deserialize, Clone)]
#[serde(rename_all = "camelCase")]
+#[must_use]
pub struct FleetSecret {
#[serde(default)]
#[serde(skip_serializing_if = "Option::is_none")]
@@ -75,6 +74,8 @@
.and_then(|string| z85::decode(string).map_err(|err| Error::custom(err.to_string())))
}
+/// Isn't used yet
+#[allow(dead_code)]
pub async fn dummy_flake() -> Result<TempDir> {
let data_str = fs::read_to_string("fleet.nix").await?;
cmds/fleet/src/host.rsdiffbeforeafterboth--- a/cmds/fleet/src/host.rs
+++ b/cmds/fleet/src/host.rs
@@ -8,15 +8,15 @@
sync::Arc,
};
-use anyhow::Result;
+use anyhow::{Result, bail, Context};
use clap::{ArgGroup, Parser};
use serde::de::DeserializeOwned;
-use tempfile::{NamedTempFile, TempDir};
+use tempfile::NamedTempFile;
use tokio::process::Command;
use crate::{
command::CommandExt,
- fleetdata::{dummy_flake, FleetData},
+ fleetdata::{FleetData, FleetSecret, FleetSharedSecret},
};
pub struct FleetConfigInternals {
@@ -125,13 +125,93 @@
.await
}
- pub fn data(&self) -> Ref<FleetData> {
+ pub(super) fn data(&self) -> Ref<FleetData> {
self.data.borrow()
}
- pub fn data_mut(&self) -> RefMut<FleetData> {
+ pub(super) fn data_mut(&self) -> RefMut<FleetData> {
self.data.borrow_mut()
}
+ pub fn list_shared(&self) -> Vec<String> {
+ let data = self.data();
+ data.shared_secrets.keys().cloned().collect()
+ }
+ pub fn has_shared(&self, name: &str) -> bool {
+ let data = self.data();
+ data.shared_secrets.contains_key(name)
+ }
+ pub fn replace_shared(&self, name: String, shared: FleetSharedSecret) {
+ let mut data = self.data_mut();
+ data.shared_secrets.insert(name.to_owned(), shared);
+ }
+ pub fn remove_shared(&self, secret: &str) {
+ let mut data = self.data_mut();
+ data.shared_secrets.remove(secret);
+ }
+
+ pub fn list_secrets(&self, host: &str) -> Vec<String> {
+ let data = self.data();
+ let Some(host_secrets) = data.host_secrets.get(host) else {
+ return Vec::new();
+ };
+ host_secrets.keys().cloned().collect()
+ }
+ pub fn has_secret(&self, host: &str, secret: &str) -> bool {
+ let data = self.data();
+ let Some(host_secrets) = data.host_secrets.get(host) else {
+ return false;
+ };
+ host_secrets.contains_key(secret)
+ }
+ pub fn insert_secret(&self, host: &str, secret: String, value: FleetSecret) {
+ let mut data = self.data_mut();
+ let host_secrets = data.host_secrets.entry(host.to_owned()).or_default();
+ host_secrets.insert(secret, value);
+ }
+
+ pub async fn decrypt_on_host(&self, host: &str, data: Vec<u8>) -> Result<Vec<u8>>{
+ let data = z85::encode(&data);
+ let encoded = self.command_on(host, "fleet-install-secrets", true)
+ .arg("decrypt")
+ .arg("--secret")
+ .arg(data).run_string().await.context("failed to call remote host for decrypt")?.trim().to_owned();
+ Ok(z85::decode(encoded).context("bad encoded data? outdated host?")?)
+ }
+ pub async fn reencrypt_on_host(&self, host: &str, data: Vec<u8>, targets: Vec<String>) -> Result<Vec<u8>>{
+ let data = z85::encode(&data);
+ let mut recmd = self.command_on(host, "fleet-install-secrets", true);
+ recmd
+ .arg("reencrypt")
+ .arg("--secret")
+ .arg(format!("\"{}\"", data.replace('$', "\\$")));
+ for target in targets {
+ recmd.arg("--targets");
+ recmd.arg(format!("\"{target}\""));
+ }
+ let encoded = recmd.run_string().await.context("failed to call remote host for decrypt")?.trim().to_owned();
+ Ok(z85::decode(encoded).context("bad encoded data? outdated host?")?)
+ }
+
+ #[must_use]
+ pub fn host_secret(&self, host: &str, secret: &str) -> Result<FleetSecret> {
+ let data = self.data();
+ let Some(host_secrets) = data.host_secrets.get(host) else {
+ bail!("no secrets for machine {host}");
+ };
+ let Some(secret) = host_secrets.get(secret) else {
+ bail!("machine {host} has no secret {secret}");
+ };
+ Ok(secret.clone())
+ }
+ #[must_use]
+ pub fn shared_secret(&self, secret: &str) -> Result<FleetSharedSecret> {
+ let data = self.data();
+ let Some(secret) = data.shared_secrets.get(secret) else {
+ bail!("no shared secret {secret}");
+ };
+ Ok(secret.clone())
+ }
+
pub fn save(&self) -> Result<()> {
let mut tempfile = NamedTempFile::new_in(self.directory.clone())?;
let data = nixlike::serialize(&self.data() as &FleetData)?;
cmds/fleet/src/keys.rsdiffbeforeafterboth--- a/cmds/fleet/src/keys.rs
+++ b/cmds/fleet/src/keys.rs
@@ -36,15 +36,6 @@
}
}
/// Insecure, requires root
- pub async fn identity(&self, host: &str) -> anyhow::Result<age::ssh::Identity> {
- warn!("Loading private key for {host}");
- let key = self
- .command_on(host, "cat", true)
- .arg("/etc/ssh/ssh_host_ed25519_key")
- .run_string()
- .await?;
- Ok(age::ssh::Identity::from_buffer(key.as_bytes(), None)?)
- }
pub async fn recipient(&self, host: &str) -> anyhow::Result<age::ssh::Recipient> {
let key = self.key(host).await?;
age::ssh::Recipient::from_str(&key).map_err(|e| anyhow!("parse recipient error: {:?}", e))
cmds/install-secrets/src/main.rsdiffbeforeafterboth--- a/cmds/install-secrets/src/main.rs
+++ b/cmds/install-secrets/src/main.rs
@@ -1,21 +1,66 @@
-use age::Decryptor;
+use age::{ssh::Identity as SshIdentity, ssh::Recipient as SshRecipient, Decryptor};
+use age::{Encryptor, Identity, Recipient};
use anyhow::{anyhow, bail, Context, Result};
use clap::Parser;
use log::{error, info, warn};
use nix::sys::stat::Mode;
use nix::unistd::{chown, Group, User};
use serde::{Deserialize, Deserializer};
+use std::fmt::{self, Display};
use std::fs::{self, File};
use std::io::{self, Cursor, Read, Write};
use std::iter;
use std::os::unix::prelude::PermissionsExt;
-use std::str::from_utf8;
+use std::path::Path;
+use std::str::{from_utf8, FromStr};
use std::{collections::HashMap, path::PathBuf};
+#[derive(Clone, Debug)]
+struct SecretWrapper(Vec<u8>);
+impl Display for SecretWrapper {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ let encoded = z85::encode(&self.0);
+ write!(f, "{encoded}")
+ }
+}
+impl FromStr for SecretWrapper {
+ type Err = z85::DecodeError;
+
+ fn from_str(s: &str) -> Result<Self, Self::Err> {
+ z85::decode(s).map(Self)
+ }
+}
+impl<'de> Deserialize<'de> for SecretWrapper {
+ fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+ where
+ D: Deserializer<'de>,
+ {
+ let v = String::deserialize(deserializer)?;
+ let de = z85::decode(v).map_err(|err| serde::de::Error::custom(err.to_string()))?;
+ Ok(Self(de))
+ }
+}
+
#[derive(Parser)]
#[clap(author)]
-struct Opts {
- data: PathBuf,
+enum Opts {
+ /// Install secrets from json specification
+ Install { data: PathBuf },
+ /// Reencrypt secret using host key, outputting in z85 encoded string
+ Reencrypt {
+ #[clap(long)]
+ secret: SecretWrapper,
+ #[clap(long)]
+ targets: Vec<String>,
+ },
+ /// Decrypt secret using host key, outputting in z85 encoded string
+ Decrypt {
+ #[clap(long)]
+ secret: SecretWrapper,
+ /// Shoult decoded output be printed as plaintext, instead of z85?
+ #[clap(long)]
+ plaintext: bool,
+ },
}
#[derive(Deserialize)]
@@ -25,8 +70,7 @@
mode: String,
owner: String,
- #[serde(deserialize_with = "from_z85")]
- secret: Option<Vec<u8>>,
+ secret: Option<SecretWrapper>,
public: Option<String>,
public_path: PathBuf,
@@ -36,21 +80,45 @@
stable_secret_path: PathBuf,
}
-fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>
-where
- D: Deserializer<'de>,
-{
- use serde::de::Error;
- if let Some(v) = <Option<String>>::deserialize(deserializer)? {
- Ok(Some(
- z85::decode(v).map_err(|err| Error::custom(err.to_string()))?,
- ))
- } else {
- Ok(None)
- }
+type Data = HashMap<String, DataItem>;
+
+fn decrypt(input: &SecretWrapper, identity: &dyn Identity) -> Result<Vec<u8>> {
+ let mut input = Cursor::new(&input.0);
+ let decryptor = Decryptor::new(&mut input).context("failed to init decryptor")?;
+ let decryptor = match decryptor {
+ Decryptor::Recipients(r) => r,
+ Decryptor::Passphrase(_) => bail!("should be recipients"),
+ };
+ let mut decryptor = decryptor
+ .decrypt(iter::once(identity as &dyn age::Identity))
+ .context("failed to decrypt, wrong key?")?;
+
+ let mut decrypted = Vec::new();
+ decryptor
+ .read_to_end(&mut decrypted)
+ .context("failed to decrypt")?;
+ Ok(decrypted)
+}
+fn encrypt(input: &[u8], targets: Vec<String>) -> Result<SecretWrapper> {
+ let recipients = targets
+ .into_iter()
+ .map(|t| {
+ SshRecipient::from_str(&t).map_err(|e| anyhow!("failed to parse recipient: {e:?}"))
+ })
+ .collect::<Result<Vec<SshRecipient>>>()?;
+ let recipients = recipients
+ .into_iter()
+ .map(|v| Box::new(v) as Box<dyn Recipient + Send>)
+ .collect::<Vec<_>>();
+ let mut encrypted = vec![];
+ let mut encryptor = Encryptor::with_recipients(recipients)
+ .expect("recipients provided")
+ .wrap_output(&mut encrypted)
+ .expect("constructor should not fail");
+ io::copy(&mut Cursor::new(input), &mut encryptor).expect("copy should not fail");
+ encryptor.finish().context("failed to finish encryption")?;
+ Ok(SecretWrapper(encrypted))
}
-
-type Data = HashMap<String, DataItem>;
fn init_secret(identity: &age::ssh::Identity, value: DataItem) -> Result<()> {
if let Some(public) = &value.public {
@@ -93,23 +161,7 @@
let mut hashed = File::create(&value.secret_path)?;
// File is owned by root, and only root can modify it
- let decrypted = {
- let mut input = Cursor::new(&secret);
- let decryptor = Decryptor::new(&mut input).context("failed to init decryptor")?;
- let decryptor = match decryptor {
- Decryptor::Recipients(r) => r,
- Decryptor::Passphrase(_) => bail!("should be recipients"),
- };
- let mut decryptor = decryptor
- .decrypt(iter::once(identity as &dyn age::Identity))
- .context("failed to decrypt, wrong key?")?;
-
- let mut decrypted = Vec::new();
- decryptor
- .read_to_end(&mut decrypted)
- .context("failed to decrypt")?;
- decrypted
- };
+ let decrypted = decrypt(&secret, identity)?;
if decrypted.is_empty() {
warn!("secret is decoded as empty, something is broken?");
}
@@ -132,13 +184,19 @@
Ok(())
}
-fn main() -> anyhow::Result<()> {
- env_logger::Builder::new()
- .filter_level(log::LevelFilter::Info)
- .init();
+fn host_identity() -> anyhow::Result<SshIdentity> {
+ let identity = SshIdentity::from_buffer(
+ &mut Cursor::new(
+ fs::read("/etc/ssh/ssh_host_ed25519_key").context("failed to read host private key")?,
+ ),
+ None,
+ )
+ .context("failed to parse identity")?;
+ Ok(identity)
+}
- let opts = Opts::parse();
- let data = fs::read(&opts.data).context("failed to read secrets data")?;
+fn install(data: &Path) -> anyhow::Result<()> {
+ let data = fs::read(data).context("failed to read secrets data")?;
let data_str = from_utf8(&data).context("failed to read data to string")?;
let data: Data = serde_json::from_str(data_str).context("failed to parse data")?;
@@ -149,13 +207,7 @@
fs::create_dir("/run/secrets").context("failed to create secrets directory")?;
}
- let identity = age::ssh::Identity::from_buffer(
- &mut Cursor::new(
- fs::read("/etc/ssh/ssh_host_ed25519_key").context("failed to read host private key")?,
- ),
- None,
- )
- .context("failed to parse identity")?;
+ let identity = host_identity()?;
let mut failed = false;
for (name, value) in data {
@@ -174,3 +226,35 @@
Ok(())
}
+
+fn main() -> anyhow::Result<()> {
+ env_logger::Builder::new()
+ .filter_level(log::LevelFilter::Info)
+ .init();
+
+ let opts = Opts::parse();
+
+ match opts {
+ Opts::Install { data } => install(&data),
+ Opts::Reencrypt { secret, targets } => {
+ let identity = host_identity()?;
+ let decrypted = decrypt(&secret, &identity).context("during decryption")?;
+ let encrypted = encrypt(&decrypted, targets).context("during re-encryption")?;
+
+ println!("{encrypted}");
+ Ok(())
+ }
+ Opts::Decrypt { secret, plaintext } => {
+ let identity = host_identity()?;
+ let decrypted = decrypt(&secret, &identity).context("during decryption")?;
+
+ if plaintext {
+ let s = String::from_utf8(decrypted).context("output is not utf8")?;
+ print!("{}", s);
+ } else {
+ println!("{}", SecretWrapper(decrypted));
+ }
+ Ok(())
+ }
+ }
+}
modules/fleet/secrets.nixdiffbeforeafterboth--- a/modules/fleet/secrets.nix
+++ b/modules/fleet/secrets.nix
@@ -20,9 +20,18 @@
'';
default = [ ];
};
+ ownerDependent = mkOption {
+ type = bool;
+ description = "Is this secret owner-dependent, and needs to be regenerated on ownership set change, or it may be just reencrypted";
+ };
generator = mkOption {
- type = package;
- description = "Derivation to execute for secret generation";
+ type = nullOr package;
+ description = ''
+ Derivation to execute for secret generation
+
+ If null - may only be created manually
+ '';
+ default = null;
};
expireIn = mkOption {
type = nullOr int;
nixos/secrets.nixdiffbeforeafterboth--- a/nixos/secrets.nix
+++ b/nixos/secrets.nix
@@ -89,9 +89,10 @@
};
};
config = {
+ environment.systemPackages = with pkgs; [pkgs.fleet-install-secrets];
system.activationScripts.decryptSecrets = stringAfter [ "users" "groups" "specialfs" ] ''
1>&2 echo "setting up secrets"
- ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets ${secretsFile}
+ ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets install ${secretsFile}
'';
};
}